1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
|
policy_module(rpc, 1.13.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow gssd to read temp directory. For access to kerberos tgt.
## </p>
## </desc>
gen_tunable(allow_gssd_read_tmp, true)
## <desc>
## <p>
## Allow nfs servers to modify public files
## used for public file transfer services. Files/Directories must be
## labeled public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_nfsd_anon_write, false)
type exports_t;
files_config_file(exports_t)
rpc_domain_template(gssd)
type gssd_tmp_t;
files_tmp_file(gssd_tmp_t)
type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)
# rpcd_t is the domain of rpc daemons.
# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)
type rpcd_initrc_exec_t;
init_script_file(rpcd_initrc_exec_t)
rpc_domain_template(nfsd)
type nfsd_initrc_exec_t;
init_script_file(nfsd_initrc_exec_t)
type nfsd_rw_t;
files_type(nfsd_rw_t)
type nfsd_ro_t;
files_type(nfsd_ro_t)
type var_lib_nfs_t;
files_mountpoint(var_lib_nfs_t)
########################################
#
# RPC local policy
#
allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
allow rpcd_t rpcd_var_run_t:dir setattr;
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
files_pid_filetrans(rpcd_t, rpcd_var_run_t, file)
# rpc.statd executes sm-notify
can_exec(rpcd_t, rpcd_exec_t)
kernel_read_system_state(rpcd_t)
kernel_read_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
kernel_signal(rpcd_t)
corecmd_exec_bin(rpcd_t)
files_manage_mounttab(rpcd_t)
files_getattr_all_dirs(rpcd_t)
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
fs_rw_rpc_sockets(rpcd_t)
fs_get_all_fs_quotas(rpcd_t)
fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
selinux_dontaudit_read_fs(rpcd_t)
miscfiles_read_generic_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
optional_policy(`
automount_signal(rpcd_t)
automount_dontaudit_write_pipes(rpcd_t)
')
optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
########################################
#
# NFSD local policy
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
allow nfsd_t self:udp_socket listen;
allow nfsd_t exports_t:file read_file_perms;
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
dev_rw_lvm_control(nfsd_t)
# does not really need this, but it is easier to just allow it
files_search_pids(nfsd_t)
# for exportfs and rpc.mountd
files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
files_manage_mounttab(nfsd_t)
files_read_etc_runtime_files(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
fs_getattr_all_dirs(nfsd_t)
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
')
tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_blk_files(nfsd_t)
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
files_manage_non_auth_files(nfsd_t)
')
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
dev_getattr_all_chr_files(nfsd_t)
files_getattr_all_pipes(nfsd_t)
files_getattr_all_sockets(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
files_list_non_auth_dirs(nfsd_t)
files_read_non_auth_files(nfsd_t)
')
########################################
#
# GSSD local policy
#
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_file_perms;
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
kernel_read_system_state(gssd_t)
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
kernel_search_network_sysctl(gssd_t)
kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
files_read_usr_symlinks(gssd_t)
files_dontaudit_write_var_dirs(gssd_t)
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
mount_signal(gssd_t)
userdom_signal_all_users(gssd_t)
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
userdom_read_user_tmp_symlinks(gssd_t)
')
optional_policy(`
automount_signal(gssd_t)
')
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
')
optional_policy(`
pcscd_read_pub_files(gssd_t)
')
optional_policy(`
xserver_rw_xdm_tmp_files(gssd_t)
')
|
GitWeb